[Vpn-help] VPN problem ( sa already mature ), but Windows works

Tue Feb 24 19:02:34 CST 2009

vpn-help at lists.shrew.net

Hello All,
I need your kind help. I can connect to my firm VPN
with XP. But I cannot establish the same connection
from Ubuntu.

Using Windows, The settings are MSCHAP2 only,
AND they need IPsec pre-shared key.
I enter the username and pwd in a
dialog-box later. It works.

Using VPN Client 2.1.2? (Ubuntu package) I fail.
I always get an error:
phase1 packet ignored ( sa already mature )

The use of pre-shared key in the authentication
configuration may be correct, because if
it is wrong, I see fewer lines in the log.

I attach here a shortened log of the connection.
Can you help?

Thanks for your attention
Zoltan

(Sorry for using a fake address instead of
my company address.)

============
09/02/22 18:56:07 ii : ipc client process thread begin ...
09/02/22 18:56:07 <A : peer config add message
09/02/22 18:56:07 DB : peer added ( obj count = 1 )
09/02/22 18:56:07 ii : local address 192.168.0.120:500 selected for peer
09/02/22 18:56:07 DB : tunnel added ( obj count = 1 )
09/02/22 18:56:07 <A : proposal config message
09/02/22 18:56:07 <A : proposal config message
09/02/22 18:56:07 <A : client config message
09/02/22 18:56:07 <A : local id '' message
09/02/22 18:56:07 <A : remote id '' message
09/02/22 18:56:07 <A : preshared key message
09/02/22 18:56:07 <A : peer tunnel enable message
09/02/22 18:56:07 DB : new phase1 ( ISAKMP initiator )
09/02/22 18:56:07 DB : exchange type is identity protect
09/02/22 18:56:07 DB : 192.168.0.120:500 <-> 2xx.xxx.xxx.xx4:500
09/02/22 18:56:07 DB : 6dd8bfb718f34995:0000000000000000
09/02/22 18:56:07 DB : phase1 added ( obj count = 1 )
09/02/22 18:56:07 >> : security association payload
09/02/22 18:56:07 >> : - proposal #1 payload 
09/02/22 18:56:07 >> : -- transform #1 payload 
...
09/02/22 18:56:07 >> : -- transform #88 payload 
09/02/22 18:56:07 >> : -- transform #89 payload 
09/02/22 18:56:07 >> : -- transform #90 payload 
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local supports nat-t ( draft v00 )
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local supports nat-t ( draft v01 )
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local supports nat-t ( draft v02 )
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local supports nat-t ( draft v03 )
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local supports nat-t ( rfc )
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local supports FRAGMENTATION
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local supports DPDv1
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local is SHREW SOFT compatible
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local is CISCO UNITY compatible
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local is NETSCREEN compatible
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local is SIDEWINDER compatible
09/02/22 18:56:07 >> : vendor id payload
09/02/22 18:56:07 ii : local is CHECKPOINT compatible
09/02/22 18:56:07 =< : using ISAKMP SA 6dd8bfb718f34995:0000000000000000
09/02/22 18:56:07 -> : send IKE packet 192.168.0.120:500 -> 2xx.xxx.xxx.xx4:500 ( 3828 bytes )
09/02/22 18:56:07 DB : phase1 resend event scheduled ( ref count = 2 )
09/02/22 18:56:07 ii : opened tap device tap0
09/02/22 18:56:07 <- : recv IKE packet 2xx.xxx.xxx.xx4:500 -> 192.168.0.120:500 ( 148 bytes )
09/02/22 18:56:07 ii : parsing ike packet header
09/02/22 18:56:07 ii : attempting to locate phase1 sa for packet
09/02/22 18:56:07 DB : phase1 found
09/02/22 18:56:07 ii : processing phase1 packet ( 148 bytes )
09/02/22 18:56:07 =< : using ISAKMP SA 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 << : security association payload
09/02/22 18:56:07 << : - propsal #1 payload 
09/02/22 18:56:07 << : -- transform #1 payload 
09/02/22 18:56:07 ii : unmatched isakmp proposal/transform
09/02/22 18:56:07 ii : cipher type ( 3des != aes )
09/02/22 18:56:07 ii : unmatched isakmp proposal/transform
...
09/02/22 18:56:07 ii : cipher type ( 3des != blowfish )
09/02/22 18:56:07 ii : unmatched isakmp proposal/transform
09/02/22 18:56:07 ii : cipher type ( 3des != blowfish )
09/02/22 18:56:07 ii : unmatched isakmp proposal/transform
09/02/22 18:56:07 ii : dh group description ( modp-1024 != modp-3072 )
09/02/22 18:56:07 ii : unmatched isakmp proposal/transform
09/02/22 18:56:07 ii : dh group description ( modp-1024 != modp-2048 )
09/02/22 18:56:07 ii : unmatched isakmp proposal/transform
09/02/22 18:56:07 ii : dh group description ( modp-1024 != modp-1536 )
09/02/22 18:56:07 !! : peer violates RFC, transform number mismatch ( 1 != 64 )
09/02/22 18:56:07 ii : matched isakmp proposal #1 transform #1
09/02/22 18:56:07 ii : - transform    = ike
09/02/22 18:56:07 ii : - cipher type  = 3des
09/02/22 18:56:07 ii : - key length   = default
09/02/22 18:56:07 ii : - hash type    = md5
09/02/22 18:56:07 ii : - dh group     = modp-1024
09/02/22 18:56:07 ii : - auth type    = psk
09/02/22 18:56:07 ii : - life seconds = 86400
09/02/22 18:56:07 ii : - life kbytes  = 0
09/02/22 18:56:07 << : vendor id payload
09/02/22 18:56:07 ii : unknown vendor id ( 20 bytes )
09/02/22 18:56:07 0x : 1e2b5169 05991c7d 7c96fcbf b587e461 00000004
09/02/22 18:56:07 << : vendor id payload
09/02/22 18:56:07 ii : unknown vendor id ( 16 bytes )
09/02/22 18:56:07 0x : 4048b7d5 6ebce885 25e7de7f 00d6c2d3
09/02/22 18:56:07 << : vendor id payload
09/02/22 18:56:07 ii : peer supports nat-t ( draft v02 )
09/02/22 18:56:07 >> : key exchange payload
09/02/22 18:56:07 >> : nonce payload
09/02/22 18:56:07 >> : nat discovery payload
09/02/22 18:56:07 >> : nat discovery payload
09/02/22 18:56:07 =< : using ISAKMP SA 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 DB : phase1 resend event canceled ( ref count = 1 )
09/02/22 18:56:07 -> : send IKE packet 192.168.0.120:500 -> 2xx.xxx.xxx.xx4:500 ( 252 bytes )
09/02/22 18:56:07 DB : phase1 resend event scheduled ( ref count = 2 )
09/02/22 18:56:07 <- : recv IKE packet 2xx.xxx.xxx.xx4:500 -> 192.168.0.120:500 ( 224 bytes )
09/02/22 18:56:07 ii : parsing ike packet header
09/02/22 18:56:07 ii : attempting to locate phase1 sa for packet
09/02/22 18:56:07 DB : phase1 found
09/02/22 18:56:07 ii : processing phase1 packet ( 224 bytes )
09/02/22 18:56:07 =< : using ISAKMP SA 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 << : key exchange payload
09/02/22 18:56:07 << : nonce payload
09/02/22 18:56:07 << : nat discovery payload
09/02/22 18:56:07 << : nat discovery payload
09/02/22 18:56:07 ii : nat discovery - local address is translated
09/02/22 18:56:07 ii : switching to nat-t udp port 4500
09/02/22 18:56:07 == : DH shared secret ( 128 bytes )
09/02/22 18:56:07 == : SETKEYID ( 16 bytes )
09/02/22 18:56:07 == : SETKEYID_d ( 16 bytes )
09/02/22 18:56:07 == : SETKEYID_a ( 16 bytes )
09/02/22 18:56:07 == : SETKEYID_e ( 16 bytes )
09/02/22 18:56:07 == : cipher key ( 32 bytes )
09/02/22 18:56:07 == : cipher iv ( 8 bytes )
09/02/22 18:56:07 >> : identification payload
09/02/22 18:56:07 == : phase1 hash_i ( computed ) ( 16 bytes )
09/02/22 18:56:07 >> : hash payload
09/02/22 18:56:07 =< : using ISAKMP SA 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 >= : encrypt iv ( 8 bytes )
09/02/22 18:56:07 => : encrypt packet ( 60 bytes )
09/02/22 18:56:07 == : stored iv ( 8 bytes )
09/02/22 18:56:07 DB : phase1 resend event canceled ( ref count = 1 )
09/02/22 18:56:07 -> : send NAT-T:IKE packet 192.168.0.120:4500 -> 2xx.xxx.xxx.xx4:4500 ( 92 bytes )
09/02/22 18:56:07 DB : phase1 resend event scheduled ( ref count = 2 )
09/02/22 18:56:07 <- : recv NAT-T:IKE packet 2xx.xxx.xxx.xx4:4500 -> 192.168.0.120:4500 ( 60 bytes )
09/02/22 18:56:07 ii : parsing ike packet header
09/02/22 18:56:07 ii : attempting to locate phase1 sa for packet
09/02/22 18:56:07 DB : phase1 found
09/02/22 18:56:07 ii : processing phase1 packet ( 60 bytes )
09/02/22 18:56:07 =< : using ISAKMP SA 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 =< : decrypt iv ( 8 bytes )
09/02/22 18:56:07 <= : decrypt packet ( 60 bytes )
09/02/22 18:56:07 == : stored iv ( 8 bytes )
09/02/22 18:56:07 << : identification payload
09/02/22 18:56:07 ii : phase1 id match ( natt prevents ip match )
09/02/22 18:56:07 ii : phase1 id match ( ipv4-host 2xx.xxx.xxx.xx4 )
09/02/22 18:56:07 << : hash payload
09/02/22 18:56:07 == : phase1 hash_r ( computed ) ( 16 bytes )
09/02/22 18:56:07 == : phase1 hash_r ( received ) ( 16 bytes )
09/02/22 18:56:07 ii : phase1 sa established
09/02/22 18:56:07 ii : 2xx.xxx.xxx.xx4:4500 <-> 192.168.0.120:4500
09/02/22 18:56:07 ii : 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 DB : phase1 resend event canceled ( ref count = 1 )
09/02/22 18:56:07 ii : sending peer INITIAL-CONTACT notification
09/02/22 18:56:07 ii : - 192.168.0.120:4500 -> 2xx.xxx.xxx.xx4:4500
09/02/22 18:56:07 ii : - isakmp spi = 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 ii : - data size 0
09/02/22 18:56:07 >> : hash payload
09/02/22 18:56:07 >> : notification payload
09/02/22 18:56:07 == : new informational hash ( 16 bytes )
09/02/22 18:56:07 == : new phase2 iv ( 8 bytes )
09/02/22 18:56:07 =< : using ISAKMP SA 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 >= : encrypt iv ( 8 bytes )
09/02/22 18:56:07 => : encrypt packet ( 76 bytes )
09/02/22 18:56:07 == : stored iv ( 8 bytes )
09/02/22 18:56:07 -> : send NAT-T:IKE packet 192.168.0.120:4500 -> 2xx.xxx.xxx.xx4:4500 ( 108 bytes )
09/02/22 18:56:07 DB : config added ( obj count = 1 )
09/02/22 18:56:07 ii : xauth is not required
09/02/22 18:56:07 ii : building config attribute list
09/02/22 18:56:07 ii : - IP4 Address
09/02/22 18:56:07 ii : - Address Expiry
09/02/22 18:56:07 ii : - IP4 Netamask
09/02/22 18:56:07 ii : - IP4 DNS Server
09/02/22 18:56:07 ii : - IP4 Subnet
09/02/22 18:56:07 ii : sending config pull request
09/02/22 18:56:07 == : new phase2 iv ( 8 bytes )
09/02/22 18:56:07 >> : hash payload
09/02/22 18:56:07 >> : attribute payload
09/02/22 18:56:07 == : new configure hash ( 16 bytes )
09/02/22 18:56:07 =< : using ISAKMP SA 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:56:07 >= : encrypt iv ( 8 bytes )
09/02/22 18:56:07 => : encrypt packet ( 76 bytes )
09/02/22 18:56:07 == : stored iv ( 8 bytes )
09/02/22 18:56:07 -> : send NAT-T:IKE packet 192.168.0.120:4500 -> 2xx.xxx.xxx.xx4:4500 ( 108 bytes )
09/02/22 18:56:07 DB : config resend event scheduled ( ref count = 2 )
09/02/22 18:56:07 DB : phase2 not found
09/02/22 18:56:09 <- : recv NAT-T:IKE packet 2xx.xxx.xxx.xx4:4500 -> 192.168.0.120:4500 ( 60 bytes )
09/02/22 18:56:09 ii : parsing ike packet header
09/02/22 18:56:09 ii : attempting to locate phase1 sa for packet
09/02/22 18:56:09 DB : phase1 found
09/02/22 18:56:09 ii : processing phase1 packet ( 60 bytes )
09/02/22 18:56:09 !! : phase1 packet ignored ( sa already mature )
09/02/22 18:56:11 <- : recv NAT-T:IKE packet 2xx.xxx.xxx.xx4:4500 -> 192.168.0.120:4500 ( 60 bytes )
09/02/22 18:56:11 ii : parsing ike packet header
09/02/22 18:56:11 ii : attempting to locate phase1 sa for packet
09/02/22 18:56:11 DB : phase1 found
09/02/22 18:56:11 ii : processing phase1 packet ( 60 bytes )
09/02/22 18:56:11 !! : phase1 packet ignored ( sa already mature )
09/02/22 18:56:15 <- : recv NAT-T:IKE packet 2xx.xxx.xxx.xx4:4500 -> 192.168.0.120:4500 ( 60 bytes )
09/02/22 18:56:15 ii : parsing ike packet header
09/02/22 18:56:15 ii : attempting to locate phase1 sa for packet
09/02/22 18:56:15 DB : phase1 found
09/02/22 18:56:15 ii : processing phase1 packet ( 60 bytes )
09/02/22 18:56:15 !! : phase1 packet ignored ( sa already mature )
09/02/22 18:56:17 ii : resend 1 packet(s) for config exchange
09/02/22 18:56:22 DB : phase1 found
09/02/22 18:56:22 -> : send NAT-T:KEEP-ALIVE packet 192.168.0.120:4500 -> 2xx.xxx.xxx.xx4:4500
09/02/22 18:56:23 <- : recv NAT-T:IKE packet 2xx.xxx.xxx.xx4:4500 -> 192.168.0.120:4500 ( 60 bytes )
09/02/22 18:56:23 ii : parsing ike packet header
09/02/22 18:56:23 ii : attempting to locate phase1 sa for packet
09/02/22 18:56:23 DB : phase1 found
09/02/22 18:56:23 ii : processing phase1 packet ( 60 bytes )
09/02/22 18:56:23 !! : phase1 packet ignored ( sa already mature )
09/02/22 18:56:27 ii : resend 1 packet(s) for config exchange
09/02/22 18:56:37 ii : resend limit exceeded for config exchange
09/02/22 18:56:37 DB : config deleted ( obj count = 0 )
09/02/22 18:56:37 DB : phase1 found
09/02/22 18:56:37 -> : send NAT-T:KEEP-ALIVE packet 192.168.0.120:4500 -> 2xx.xxx.xxx.xx4:4500
09/02/22 18:56:39 <- : recv NAT-T:IKE packet 2xx.xxx.xxx.xx4:4500 -> 192.168.0.120:4500 ( 60 bytes )
09/02/22 18:56:39 ii : parsing ike packet header
09/02/22 18:56:39 ii : attempting to locate phase1 sa for packet
09/02/22 18:56:39 DB : phase1 found
09/02/22 18:56:39 ii : processing phase1 packet ( 60 bytes )
09/02/22 18:56:39 !! : phase1 packet ignored ( sa already mature )
09/02/22 18:56:52 DB : phase1 found
09/02/22 18:56:52 -> : send NAT-T:KEEP-ALIVE packet 192.168.0.120:4500 -> 2xx.xxx.xxx.xx4:4500
09/02/22 18:57:07 DB : phase1 found
09/02/22 18:57:07 -> : send NAT-T:KEEP-ALIVE packet 192.168.0.120:4500 -> 2xx.xxx.xxx.xx4:4500
09/02/22 18:57:11 <- : recv NAT-T:IKE packet 2xx.xxx.xxx.xx4:4500 -> 192.168.0.120:4500 ( 76 bytes )
09/02/22 18:57:11 ii : parsing ike packet header
09/02/22 18:57:11 ii : attempting to locate phase1 sa for packet
09/02/22 18:57:11 DB : phase1 found
09/02/22 18:57:11 ii : processing informational packet ( 76 bytes )
09/02/22 18:57:11 == : new phase2 iv ( 8 bytes )
09/02/22 18:57:11 =< : using ISAKMP SA 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:57:11 =< : decrypt iv ( 8 bytes )
09/02/22 18:57:11 <= : decrypt packet ( 76 bytes )
09/02/22 18:57:11 == : stored iv ( 8 bytes )
09/02/22 18:57:11 << : hash payload
09/02/22 18:57:11 << : delete payload
09/02/22 18:57:11 == : informational hash_i ( computed ) ( 16 bytes )
09/02/22 18:57:11 == : informational hash_c ( received ) ( 16 bytes )
09/02/22 18:57:11 ii : informational hash verified
09/02/22 18:57:11 ii : received peer DELETE message
09/02/22 18:57:11 ii : - 2xx.xxx.xxx.xx4:4500 -> 192.168.0.120:4500
09/02/22 18:57:11 ii : - isakmp spi = 6dd8bfb718f34995:61d5242f3d4e1bba
09/02/22 18:57:11 DB : phase1 found
09/02/22 18:57:11 ii : cleanup, marked phase1 6dd8bfb718f34995:61d5242f3d4e1bba for removal
09/02/22 18:57:11 DB : phase1 soft event canceled ( ref count = 4 )
09/02/22 18:57:11 DB : phase1 hard event canceled ( ref count = 3 )
09/02/22 18:57:11 DB : phase1 dead event canceled ( ref count = 2 )
09/02/22 18:57:11 ii : phase1 removal before expire time
09/02/22 18:57:11 DB : phase1 not found
09/02/22 18:57:11 DB : phase1 deleted ( obj count = 0 )
09/02/22 18:57:11 ii : closed tap device tap0
09/02/22 18:57:11 DB : tunnel natt event canceled ( ref count = 2 )
09/02/22 18:57:11 DB : tunnel stats event canceled ( ref count = 1 )
09/02/22 18:57:11 DB : removing tunnel config references
09/02/22 18:57:11 DB : removing tunnel phase2 references
09/02/22 18:57:11 DB : removing tunnel phase1 references
09/02/22 18:57:11 DB : tunnel deleted ( obj count = 0 )
09/02/22 18:57:11 DB : removing all peer tunnel refrences
09/02/22 18:57:11 DB : peer deleted ( obj count = 0 )
09/02/22 18:57:11 ii : ipc client process thread exit ...

________________________________________________________
-10% KEDVEZMÉNY MINDEN TERMÉKÜNKRE – MOST!
AEG – ELECTROLUX – ZANUSSI
Mosógépek – mosogatógépek – hűtők – tűzhelyek – beépíthető gépek a MARKABOLT.hu-tól!
http://ad.adverticum.net/b/cl,1,6022,314715,386856/click.prm